PGP : Java Glossary

The CurrCon Java Applet displays prices on this
web page converted with today’s exchange rates into your local international currency,
e.g. Euros, US dollars, Canadian dollars, British Pounds, Indian Rupees…
CurrCon requires an up-to-date browser
and Java version 1.7 or later, preferably 1.8.0_40.
If you can’t see the prices in your local currency,
Troubleshoot. Use Chrome for best results.

How is PGP Different from other Signing and Encryption?

PGP (plus related
systems like GNU (Gnu’ Not Unix!) privacy Guard, CTC (Concurrent Technologies Corporation),
and the more distant systems like Pegwit) uses public key encryption as a way of
exchanging the private keys you need for the faster conventional encryption (like
Triple-DES). PGP
does not require both communicating parties to know a shared private key agreed on in
advance the way DES (Data Encryption Standard)
does.

PGP is different
from other digital signing/encryption techniques in that there are no central
certificate issuing authorities. You make your own certificates (containing just your
name, email address and public key but not your private one) and get other ordinary
people to digitally sign them as accurate. This creates a web of trust. You know if a
certificate is valid by how much you trust the people who signed the certificate. You
tell PGP how much you
trust various certificates and how much you trust various people to accurately sign
other’s certificates and it computes a trustworthiness of each certificate on
your keyring.

Terminology

The PGP
people don’t use the term certificate like everyone
else does. They call them public keys even though the
public key files contain more information than just the public key. They use a single
key icon
to represent a public key and either a double key icon or a person’s head icon
to represent a public/private pair.

PGP
people sometimes erroneously refer to your private key as a
secret key. Granted the key is secret, but in crytography
the term secret implies there is no corresponding
public key.

You can safely give exported public keys to others and your public keyring file of
your entire key collection, but not your private/secret keyring file.

Backups

Make many backups of your PGP
data files, especially of all your private/secret keys and their passphrases and put
them where you are sure you will be able to find them again. You will never be able
to correct the public key registries without them to even delete the key. If you
loose the private key for an email address, you will never again be able to receive
encrypted mail on that mail address. People will continue to send you email encrypted
with your old lost key and you won’t be able to make any sense of it.

With Zimmerman’s PGP that I use, the public keys are stored in pubring.pkr and the private/secret keys are stored in secring.skr.

Be very careful when reinstalling software that you don’t leave you old keys
behind.

How to Find and Import Other People’s Public Keys

You
learn of other’s public keys by picking them off websites. For example, you can
download/see my PGP
public key at http://mindprod.com/contact/Roedy
Green pgp (0x6A4D31AA) pub.asc. You can sent me PGP-encrypted email with it
via . Please don’t attempt
PGP email with any
other of my email addresses or with any of my old public PGP
keys. The key looks like gibberish, but when you import it into your
PGP
keyring it contains my public key, name and email address hidden in there.

After you import someone’s public key you must sign it with your private
key, to indicate you consider it valid. You can then adjust the trust level you feel
about public keys that person has validated. There is no central authentication
agency. It all works by a peer to peer web of trust. There is a central registry like
a phone book of email addresses and public keys, but there is no guarantee that any
of its information is valid.

You can receive PGP certificates via unsecured email. You can discover
them in Newsgroup postings. PGP 7.0 contains a feature to lookup a public key or
register yours in any one of a number of central registries, e. g.

RFC 4880 describes how
client PGP software such
as EnigMail or GnuPG talks to the public key servers. Some webservers also allow you
to search for keys with your browser.

Once you declare my public key as trustworthy, then you can send me encrypted
email and you can verify if any digitally signed mail from me really came from
me.

If you just want to send me PGP-signed mail, you don’t even have to do that
much.

You importing my public key, however, is not sufficient to let me
send you encrypted email. (I need your public key
for that.) It won’t let me verify that email from
you really came from you. (I need your public key
for that.) Of course we both need some sort of PGP
software installed on our machines.

There is also a feature you can register a third party with the right to revoke
your key in case you lose your private key or forget your passphrase. However, it is
too late to do that once you lose you key or passphrase. If you lose your private
key, mail continues to arrive encrypted with your old key and databases persist in
handing out the obsolete key. All you can do is publicly ask people to use the new
key and email address and stop using the old ones. (How do I know this?…) In
Thunderbird Enigmail, you can create a revoke certificate you can later use if you
lose your keys to revoke the certificate.

Where to Get PGP

You can
download a simple PGP8.0 suite free from
PGPI.org. Unfortunately it does not
work on Vista.

All that is left of the original Network Associates (bought out by McAfee)
PGP
website are products with prices so high they won’t even post them. You have to
request a formal price quotation. These are clearly not aimed at personal users.

The freeware products are for non-commercial use. There are now a suite of
reasonably priced commercial products at the PGP Store.
For example a PC (Personal Computer)
PGP 1 year licence
is
$80.00 USD
The freeware editions don’t have integration into email. The freeware version
asks you to fill in a licence key. If you don’t, it turns off some features. If
you do, it upgrades to the commercial version.

The old, free Network Associates PGP
version 7.0.3 works with Eudora email integration.

The patent recently expired on PGP
and, in recent years, the patentholder, etwork Associates lost all interest in
supporting its former PGP
products. In recent years, we saw signing authorities like Thawte dropping PGP
support. Perhaps they will start re-instating it. Enigmail-PGP does not supportthe
latest Firefox. It looks like PGP
for the masses
has disappeared.

PGP and Eudora

PGP
is easiest to use if you have a mailer like Eudora that integrates it. You click on
the sign icon and nothing happens until you hit
send, then you key your passphrase. Send only plain message
if you want them readable. Eudora includes the body and your tagline in the
signature, but not the subject.

Signed formatted messages arrive as mysterious enclosures ending in *.ems. You must double click them to view them and verify the signature.
Eudora encrypts the body and your tagline, but not the subject.

When you click encrypt nothing happen until you hit
send. Then it automatically looks up the public key of the
recipient in the keyserver.pgp.com database. Encrypted
messages come in looking like gibberish with nothing telling you what they are. It is
up to you to recognize what them as encrypted messages and right click plugins, decrypt and verify.

Sometimes the encrypted message arrives as a *.ems
attachment. You must double click it and give your passphrase to decrypt it and
verify the signature. Eudora wisely gives you the option of leaving the message in
encrypted or unencrypted form in your mail folder. You may be trying to protect it
from prying eyes at your end as well as en route.

You can also digitally sign and/or encrypt your messages with
PGP
by having it sign the clipboard then paste the text back into pretty well any
newsreader/mailreader. That way your mailreader/newsreader need not support
PGP directly.
Unfortunately, only the message body then is signed. The header including the message
subject:, to: and from: are unprotected.

PGP and the Thunderbird Mail Reader

There is a free
PGP plug-in for
Thunderbird MailReader and also SeaMonkey called Enigmail. It supports inline-PGP RFC 4880
and PGP/MIME RFC 3156.
It uses GNU-PG.

PGP and Agent Newsreader

The add-on PGPeep partly
integrates PGP into Forte Agent, however it is not smart enough to
include the signature line in the digitally signed part of the message. This area of
integration is still in its infancy. It is not ready for the masses. It must become
totally transparent.

PGP Hex Encoding

Keyword Encoding

Public keys are sometimes represented by selections from a pair of 16 × 16 row-wise grids of 256 English words each using this list to encode the each byte of the
key, selecting the row as the high order nibble and the column as the low order
nibble. The advantage of the keywords is you can speak a public key over the phone
accurately. It protects you against dropping, transcription and mishearing. Words
are all quite distinct. See the PGP keywords Applet to interconvert back and forth
or to experiment to understand how it works.

Legal Issues

Americans have a silly law that code written in the
USA that does strong encryption cannot be exported outside the USA and Canada, even
though the algorithms are published. This has had the effect of stimulating European
and Australians to provide such software which is immune to the restriction, taking
business away from American companies. In particular, BouncyCastle.org is located in Australia. You can use
Oracle’s weak or strong JCE (Java Cryptography Extension), but if you use the
strong JCE, you
can’t export your product. The solution is to plug-replace Oracle’s
JCE with
one written outside the USA.

The other popular
scheme used for EMAIL signature verification and encryption is S/MIME. Unfortunately, Eudora does not natively support it,
though you can get plug-ins. Thawte no longer issues PGP
certificates.

When you send a message, you sign it with your own private key,
the one associated with the from email address and encrypt it with the
recipient’s public key, the one they ask you to use for that
particular email address.